Inside Privacy - Updates on Developments in Global Privacy & Data Security

Earlier today, members of Congress and regulators gathered for a symposium on “The Impact of Media on the Health & Well-Being of Children.”   Participants included Congressman Edward Markey (D-MA), Congresswoman Debbie Wasserman Schultz (D-FL), Senator Richard Blumenthal (D-CT), Jon Leibowitz, Chairman, Federal Trade Commission, and Mignon Clyburn, Commissioner, Federal Communications Commission, as well as researchers and members of the public interest community.  In response to a question, Chairman Leibowitz informed the audience that the FTC expects to issue a revised Children’s Online Privacy Protection Act (“COPPA”) Rule by “the end of the year and hopefully sooner.” 

During their remarks, Congressmen Markey and Wasserman Shultz each expressed support for the Do Not Track Kids Act of 2011 (H.R. 1895), which we have blogged about here.  The bill would expand privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that website operators provide “eraser buttons” to enable the deletion of personal information shared publicly by minors.  Senator Blumenthal also indicated that he was supportive of the legislative proposal, which he described as “common sensical,” although he stated that there likely would be substantial concern among advertisers and other stakeholders about implementation issues.

Continue Reading

The Equal Employment Opportunity Commission has issued updated guidance concerning employer use of criminal histories.  As many as 92 percent of employers use criminal background checks as part of their hiring processes. 

The EEOC’s updated guidance generally provides that the EEOC will regard as suspect blanket or automatic exclusions of individuals from employment or promotion simply based on an individual’s criminal record, particularly when the individual is an African American or a Hispanic male.  However, the EEOC indicates that it will accept as a defense to a statutory discrimination claim an employer’s showing that the exclusion is job-related and consistent with business necessity and that the employer has made an individualized determination that hiring or promoting the individual in question would be likely to create a risk of improper conduct that would be detrimental to the employer’s business or workplace.  Specifically, the guidance indicates that, in making individualized assessments, employers should consider the following three factors:

Continue Reading

Following on its passage on Thursday of the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523) and the Federal Information Security Amendments Act of 2012 (H.R. 4257), the House on Friday approved two additional cybersecurity measures.

The Cybersecurity Enhancement Act (H.R. 2096), sponsored by Rep. Michael T. McCaul (R-TX), passed by a vote of 395-10. The bill would require certain federal agencies to develop and submit to Congress a cybersecurity strategic research and development plan that takes into consideration the views of stakeholders in industry and academia. The bill would also provide scholarships for students studying cybersecurity, in exchange for federal or other government service after graduation.

The Advancing America’s Networking and Information Technology Research and Development Act of 2012 (H.R. 3834), sponsored by Rep. Ralph Hall (R-TX), passed on a voice vote. This bill also addresses cybersecurity research and development and would require certain federal agencies to develop periodically updated strategic plans for achieving cybersecurity research and development goals, taking into account recommendations from stakeholders. The bill would encourage agencies to support large-scale, long-term, interdisciplinary research activities that have the potential to improve, inter alia, U.S. economic competitiveness. In addition, the bill would require the Director of the National Coordination Office, which reports to the White House’s Office of Science and Technology Policy, to establish a task force of academic, industry, and government representatives to explore mechanisms for collaborative research and design, and to convene a governmental interagency working group to address increasing use of cloud computing for research.

The House of Representatives next week will consider legislation to counter online threats as part of what the House leadership has dubbed “Cybersecurity Week.”

The House Homeland Security Committee approved the PRECISE Act on Wednesday. The committee adopted an amendment from the bill’s sponsor, Rep. Dan Lungren (R-Cal.), to remove provisions that would have required the Department of Homeland Security (DHS) to work with other federal agencies to incorporate cybersecurity standards into regulations governing covered critical infrastructure. The amended bill, H.R. 3674, would expand the existing National Cybersecurity and Communications Integration Center within DHS to facilitate the sharing of threat information and technical assistance between private entities and governments at all levels. The bill would create an advisory board of 13 private-sector representatives for the Center.

The House also plans to vote on the Cyber Intelligence Sharing and Protection Act (CISPA), a bill introduced in late November by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.). Like the PRECISE Act, CISPA would encourage the sharing of cyber threat information among businesses and the intelligence community through the National Cybersecurity and Communications Integration Center within DHS.

Continue Reading

On March 29, 2012, Director of the Federal Reserve’s Division of Consumer and Community Affairs Sandra Braunstein testified before the Senate Banking Committee on consumers’ use of mobile financial services.  Ms. Braunstein distinguished between “mobile banking,” which is a consumer’s use of a mobile device to interact with a financial institution, including checking balances and transferring funds, and “mobile payments,” which are purchases, bill payments, charitable donations, or payments to other persons using a mobile device.  After making this distinction, she referred to the Federal Reserve’s recent survey of consumers’ adoption of mobile banking and mobile payments.

The survey found that the most common reasons for consumers not adopting mobile banking were satisfaction with traditional banking services and concerns over security, including potential hackers and the perceived inadequacy of existing technology.  Consumers do not use mobile payments because of security concerns and because traditional payment forms such as cash or credit card can be regarded as being simpler or easier to use. 

These findings highlight the progress depository institutions must make to advance consumers’ use of mobile financial services: namely, enhance information security technology and inform consumers of the effectiveness of such technology.  Indeed, the survey concludes that “consumers’ perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption.  If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.”

The Department of Commerce’s National Telecommunications and Information Administration (NTIA) sought public comment Wednesday on how to begin the process of developing voluntary codes of conduct governing consumer privacy, as called for in the privacy framework released by the White House last month.

That report argues that companies should follow seven basic principles — a Consumer Privacy Bill of Rights — when collecting, using, or disclosing consumers’ personal data. These principles are: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.

The framework calls on Congress to codify the general principles through legislation while stakeholders develop voluntary codes of conduct to implement the principles in particular sectors. The framework tasks the NTIA with setting up an open process in which all interested stakeholders — including companies, consumer advocates, and government officials — would develop conduct codes by consensus.

Continue Reading

The White House released a report today containing its “Consumer Privacy Bill of Rights,” referring to the new privacy framework as a “comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.”  The report is entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” and it outlines a plan for implementing Consumer Privacy Bill of Rights that calls for the cooperation of industry, Congress, and international stakeholders. 

The Consumer Privacy Bill of Rights identifies seven fundamental principles that apply to personal data, which is defined as “any data, including aggregations of data, that is linkable to a specific individual.”  Those principles are individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability.

The report asks companies to work with federal agencies such as the Department of Commerce and the Federal Trade Commission to develop enforceable codes of conduct that adhere to the new Bill of Rights.  If companies voluntarily agree to abide by such codes, the report suggested, violations of the codes could be construed as deceptive or unfair trade practices under Section 5 of the FTC Act.  Congress is called on to enact comprehensive privacy legislation that embodies the proposed principles.  The report also sets forth a plan for promoting interoperability, which includes developing a streamlined approach to regulating companies that transfer personal data across borders.

The report is the product of a comprehensive review of national privacy policy in an Internet economy.  The Commerce Department’s Internet Policy Task Force began the review in 2010.

As we previously reported, the Video Privacy Protection Act reform bill sponsored by Rep. Bob Goodlatte (R-VA) passed the House.  And now the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law has scheduled a hearing on video privacy, to be held next Tuesday, January 31.

The VPPA has come under scrutiny in recent months because of what some say are ambiguities over how the statute applies to online video distribution.  According to Rep. Goodlatte, the House legislation was designed to address those ambiguities and clarify how companies can share information about video watching activity on social media and other websites.

Tuesday’s hearing will include testimony from Netflix General Counsel David Hyman.  Netflix, which is in mediation relating to privacy litigation brought against it in California, made news when it declined to roll out new social features within the U.S., citing confusion over how the VPPA would apply.  Also testifying are University of Minnesota Law School Professor William McGeveran, and Marc Rotenberg, Executive Director of the public interest group the Electronic Privacy Information Center. 

The hearing will be webcast on the Subcommittee’s website.

A bill introduced in the House of Representatives Thursday would require the Department of Homeland Security to take a lead role in identifying and developing cybersecurity standards for systems that control critical infrastructure. The bill also would create a non-profit clearinghouse for the sharing of cybersecurity threat information between government agencies and the private sector. Unlike some other pending data-security proposals, the bill does not include provisions requiring businesses to establish comprehensive data-security programs or to provide breach notifications.

H.R. 3674, titled the “PRECISE Act” and introduced by Rep. Dan Lungren (R-Calif.), directs the Department of Homeland Security to identify and evaluate cybersecurity risks to critical infrastructure, including private infrastructure; to identify existing standards for mitigating those risks, or to develop such standards if necessary; to create market incentives to encourage the use of the identified performance standards; and to work with the relevant agencies to incorporate “the most effective and cost-efficient” of the identified standards into the regulatory regimes governing covered critical infrastructure. The bill defines “covered critical infrastructure” as facilities or functions in which a disruption could cause significant loss of life, major economic disruption, mass evacuations for an extended length of time, or a severe degradation of national security.

Continue Reading

Leaders of the House Intelligence Committee—Chairman Rep. Mike Rogers (R-Mich.) and ranking Democrat Rep. Dutch Ruppersberger (Md.)—introduced a bill yesterday that would shield businesses from liability for sharing information relating to cyber threats with the federal Government and other entities. The bill—H.R. 3523—is intended to promote the sharing of cyber threat intelligence among businesses and the intelligence community.

The bill, which is named the Cyber Intelligence Sharing and Protection Act of 2011, would permit cybersecurity service providers and businesses that operate their own cybersecurity systems to share information related to potential cybersecurity threats with other businesses and the federal Government. Such threats include efforts to interfere with a cybersecurity network, or threats involving the theft of “private or government information, intellectual property, or personally identifiable information.”

“Personally identifiable information” is not defined.

If information is shared under the statute, “[n]o civil or criminal cause of action shall lie” against the business making the disclosure. The bill expressly preempts state law that “restricts or otherwise expressly regulates” an activity authorized by the statute. This means that state laws prohibiting the disclosure of personal information would not apply to disclosures made under the statute. The bill also exempts information shared with the federal Government from disclosure under the Freedom of Information Act (FOIA).

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released for public comment a draft roadmap for implementing cloud computing technology across U.S. government agencies.  The roadmap is intended to foster adoption of cloud computing by federal agencies, reduce uncertainty surrounding cloud computing by improving the information available to policymakers, and facilitate the further development of the cloud computing model.  The deadline for comments is December 2, 2011. 

The roadmap is composed of three volumes: Volume I establishes priorities for implementation and provides a general understanding and overview of the background, purpose, and next steps for the U.S. government’s cloud computing initiatives.  Volume II is a technical reference guide for people actively working on cloud computing initiatives, while volume III is intended for policymakers who are implementing cloud computing solutions.  Volume I identifies ten requirements that must be satisfied in order for cloud computing initiatives to be implemented, including international interoperability, portability, and security standards; defined government regulatory requirements, technology gaps, and solutions; and defined and implemented reliability design goals.

Sen. John Rockefeller (D-WV), chair of the Senate Commerce Committee, is still working to reach consensus on the data security bill that he and Sen. Mark Pryor (D-AR) introduced in June.  A scheduled markup was canceled in September, and the committee decided not to consider the bill at yesterday’s executive session.  Nonetheless, a spokesman for Sen. Pryor said Tuesday that lawmakers are “hoping to resolve any disagreements so the bill can be on a December markup.”

The bill, S. 1207, requires firms to establish information security policies for safeguarding personal information and to provide notice in the event of a security breach. Sens. Rockefeller and Pryor are reportedly reworking the bill in the hopes of securing bipartisan support.  A draft amendment circulated last week would, among other things:

• expressly exempt entities that are subject to information security requirements under the Gramm-Leach-Bliley Act, HIPAA or HITECH, or the Communications Act;
• delete special requirements for information brokers;
• restrict the remedies available to state attorneys general when bringing suit on behalf of state residents; and
• expand the definition of “personal information” to include unique biometric data and information about an individual when combined with authentication credentials for any financial account, but eliminate the FTC’s ability to modify the definition.

As we previously discussed, data security remains a subject of interest in both chambers of Congress.  Three other data security bills were approved by the Senate Judiciary Committee in September. Rep. Mary Bono Mack (R-CA) met with other lawmakers yesterday to discuss her breach notification bill and is confident that the legislation has enough support to pass the House Energy and Commerce Committee in the next few weeks, although the decision to schedule a full committee markup will be up to committee chairman Rep. Fred Upton (R-MI).

Last month, as we previously reported, the Federal Trade Commission (FTC) announced that it will host a December workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  Yesterday, Senator John D. Rockefeller IV (D-W.Va.), chairman of the Commerce, Science, and Transportation Committee sent a letter to the FTC commending the agency for its examination of this emerging technology and requesting a report following the workshop.  Senator Rockefeller indicated that the report should include potential legislative approaches to protect consumer privacy as facial recognition technology proliferates.

New uses for facial recognition technology are being deployed in both the public and private sectors.  The Federal Bureau of Investigations is working to activate a nationwide facial recognition service, Next Generation Identification, which will be available to law enforcement authorities in select states by January 2012.  And, as Senator Rockefeller noted in his letter, "facial recognition technology is already being put to use in a broad range of commercial areas," including real-time scanning to identify the demographic features of crowds or of individuals standing next to advertising displays, as well as scanning of photographs users upload to an online service to identify the individuals depicted in them.

The FTC workshop is scheduled for December 8, 2011, and Senator Rockefeller has requested that the FTC provide a preliminary report to the Senate Committee on Commerce, Science, and Transportation by February 8, 2012.

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled , “Understanding Consumer Attitudes About Privacy.”  The hearing featured a single panel with a mix of industry representatives and consumer privacy advocates, including representatives from Intuit, Microsoft, the Digital Advertising Alliance, Evidon, and the World Privacy Forum. 

A primary focus of the hearing was the efficacy of industry self-regulatory initiatives and other efforts to provide consumers with information and choices about managing their online privacy.  In particular, members expressed interest in the “About Ads” self-regulatory principles for online behavioral advertising and other company-specific efforts to provide consumers with notice and choice. 

Continue Reading

Jonathan Mayer of Stanford’s Center for Internet and Society unveiled the Center's latest research report, “Tracking the Trackers: Where Everybody Knows Your Username,” at the National Press Club Tuesday morning. The event also featured remarks from Federal Trade Commission Chairman Jon Leibowitz and Senior Counsel to the U.S. Senate Committee on Commerce, Science and Transportation Christian Fjeld and a panel discussion on potential harms facing users from data collection.

In the study, Mayer and his fellow researchers looked at whether data collected and shared by major websites remained anonymous. The team specifically looked for evidence of “leakage," that is, the sharing of identifying information that can connect browsing activity with a user account or discrete individual. Where such a connection can be made, Mayer says, the information collected is no longer anonymous, or solely indicative of browsing activity in a particular moment in time. It is instead “pseudonymous,” because it is connected in a "clickstream" to past and future browsing activity.

The team opened user accounts with 185 websites to analyze the data provided by those websites to third parties (for example, advertising and data collection partners). The team found that 113 websites, or 61%, shared a username or user ID when sharing browsing data. Mayer noted that this sharing may be in conflict with some of the websites’ privacy policies, which disclaim the sharing of user information linked to “personally identifiable information.”

Mayer emphasized that there was no indication any of the sharing uncovered was intentional; in fact, he said it was “reasonable to infer that in the majority of cases it wasn’t intentional.” The study’s take away, Mayer said, is that “the web is suffused with identity,” and industry and consumers should recognize that this sort of sharing occurs.

Continue Reading

As covered in our earlier blog post, the Dodd-Frank Wall Street Reform and Consumer Protection Act establishes the Office of Financial Research (OFR) to collect and analyze U.S. financial data for financial regulators.  The OFR is tasked with, among other responsibilities, supporting the Financial Stability Oversight Council’s oversight of systemic risk, developing tools for measuring risk levels and trends in the U.S. financial sector, and performing applied financial research for financial regulators. 

One of the OFR’s initiatives is to design a global classification system for identifying all parties to financial contracts.  The classification system is called a legal entity identifier (LEI) system.  An LEI is a unique number that identifies a legally distinct entity that engages in financial market activities.  One of the system’s objectives is to give policymakers a more in-depth and accurate view of the U.S. economy’s and global economy’s exposure to certain market participants.  The OFR has been working with international financial regulators, self-regulatory bodies, and payment and settlement systems to design the LEI system.  The OFR announced that it hopes to commence the LEI system in 2012. 

The collection of LEI information for all financial transactions may raise privacy concerns depending on the level of granularity and type of information collected.  The OFR has come under attack recently by Congress because of potential privacy issues, and on September 24, 2011, a group of Republican congressmen introduced H.R. 3044, which would repeal in their entirety provisions in Dodd-Frank establishing the OFR. 

Politico and other news sources are reporting that the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade plans to hold a hearing on the FTC’s proposed revisions to the Children’s Online Privacy Protection Act rule.  We previously analyzed the FTC’s proposal here. 

The hearing has not yet been formally announced but is scheduled for October 5, according to a spokesman for Rep. Mary Bono Mack (R-CA), chair of the Subcommittee.  The Subcommittee, continuing its ongoing series of hearings on Internet privacy, plans to look into the FTC's proposed amendments and the need for additional protections for children online.

Yesterday, the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade held a hearing­ titled “Internet Privacy: The Impact and Burden of EU Regulation.”  The European Union’s Data Privacy Directive found few unalloyed supporters at Thursday’s hearing, the second in a series of hearings on Internet privacy, but the subcommittee’s leaders reaffirmed their desire to see some improvements in U.S. privacy practices.  Click the jump to see a summary of key Representatives and witnesses’ statements.

Continue Reading

As The Hill and other news outlets are reporting, Sen. Richard Blumenthal (D-CT) — who previously was one of the most active state attorneys general on privacy and data security issues before joining the Senate in 2011 — has introduced data protection legislation. This will be the eighth breach notification bill introduced on Capitol Hill during the 113th Congress.

The breach notification components of Sen. Blumenthal’s draft bill share some similarities with legislation introduced by Sen. Patrick Leahy (D-VT) (S. 1151):

• The legislation would give the Attorney General the primary enforcement role, but would authorize the Federal Trade Commission to craft rules as to appropriate data security controls and safeguards.
• Notice to the FBI and Secret Service would be required within 14 days of discovering a breach and 48 hours before notifying any individuals for any breach involving a certain number of individuals or a database of a certain size.
• Businesses would be require to notify individuals of a breach without unreasonable delay, but in any event within 60 days of discovering a breach.
• Like S. 1151, the Blumenthal legislation would relieve businesses from the obligation to notify consumers if there is no significant risk of harm to individuals, but would require businesses to document their risk of harm analysis in a written risk assessment submitted to law enforcement.

However, there apparently are a number of significant differentiators between Senator Blumenthal’s draft legislation and the other bills that have circulated. These include providing a private right of action -- with attendant substantial civil penalties -- for individuals to pursue in the event they are aggrieved by a violation of the Act's data security protections or breach notification requirements.  The draft bill also would create a presumption of commonality for class certification purposes and limit the ability of businesses to direct disputes to arbitration in advance of a breach. And, the bill would impose criminal penalties for certain online data collection practices conducted without the consent of individuals.

Your company has just launched an innovative new social media service, and you’ve received fanfare from the press, increased website traffic, and a spike in advertising revenues.  In short, the service is a complete success — until you’re served with a class action complaint seeking millions of dollars in damages and a civil investigative demand from the FTC.  What did you do wrong, and what can you do to get out of this mess?

That’s the question that I recently explored as a part of a panel at the summer meeting of the Virginia Bar Association on the benefits and risks of social media.  On the panel, we discussed the many ways that social media has influenced law and policy over the past few months and highlighted what businesses and their lawyers need to understand about privacy issues online in order to avoid litigation and regulatory enforcement. 

One of the main reasons that companies face litigation and investigations in the social media area is that they haven’t fully evaluated the information that they are collecting through social media and how that information is (or could be) used.  That is why the discussion on privacy today is coalescing around the concept of “privacy by design,” which Kashmir Hill at Forbes recently described as companies “bak[ing] privacy into their products” rather than considering privacy only reactively.  (You can read more about privacy by design here.)

Continue Reading

Jon Leibowitz, chairman of the Federal Trade Commission, and Cameron Kerry, general counsel of the Department of Commerce, spoke today about the need for industry codes of conduct to address emerging privacy issues.  They were the featured speakers at an event held by the Brookings Institution on strategies to protect consumer privacy while ensuring continued innovation on the Internet.

As we previously discussed, the Commerce Department has called for baseline consumer privacy protections that would serve as the basis for codes of conduct that specify how the baseline principles apply in particular contexts.  At today’s event, Kerry provided more detail about the Department’s proposal.

Continue Reading

By Katie Keith

Yesterday, two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing and Trade and Communications and Technology) held a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA” that featured testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  Topics discussed included the need for privacy and data security legislation, the development of baseline governing principles, and current efforts by each agency to engage stakeholders on these issues. 

Legislators from both Subcommittees recognized the economic and social value of the Internet throughout the hearing and emphasized that nearly every aspect of our daily lives now has an online component.  Despite its “incalculable value,” the Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade, Rep. Mary Bono Mack (R-Cal.), characterized the Internet as a “work in progress” and expressed concerns shared by many Members of the two Subcommittees over the collection, use, sharing and protection of online data and the need to improve consumer education.  The witnesses generally shared these concerns, and although their testimony did not reflect a shift in policy at the FTC, FCC, or NTIA, the dialogue between the legislators and regulators did shed light on the current state of thinking about privacy regulation at the federal level. 

Continue Reading

Among the numerous federal privacy and data security bills that have been introduced in Congress over the last four months, Senator Franken's "Location Privacy Protection Act" (S. 1223) focuses specifically on the collection of geolocation data by covered entities through mobile devices.  The bill would prohibit entities that offer or provide services to certain mobile devices from collecting and disclosing a consumer’s geolocation information, unless the company has obtained the consumer’s express consent.

“Geolocation information” is defined to include any information that (1) concerns the location of an electronic communications device that is generated or derived from the consumer’s use of the device and (2) may be used to identify or approximate the location of the device.  The term does not include, however, any temporarily assigned network address or IP address.  

The legislation would be enforced by the U.S. Attorney General, state attorneys general, and private individuals (who would have the right to bring private lawsuits).

Sen. Franken has shown a strong interest in mobile privacy issues.  As we blogged here in May, Sen. Franken has requested that Apple and Google require all applications available in the Apple App Store and the Android App Market to have “clear and understandable” privacy policies.

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date:

Comprehensive privacy legislation:

• BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Commercial Privacy Bill of Rights Act of 2011, S. 799 (Sens. Kerry and McCain):  introduced Apr. 12, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation.
• Consumer Privacy Protection Act of 2011, H.R. 1528 (Reps. Stearns, Matheson, Bilbray, and Manzullo):  introduced Apr. 13, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 

Do Not Track:

• Do Not Track Me Online Act, H.R. 654 (Rep. Speier):  introduced Feb. 11, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Do-Not-Track Online Act of 2011, S. 913 (Sen. Rockefeller): introduced May 9, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Children’s privacy:

• Do Not Track Kids Act of 2011, H. R. 1895 (Reps. Markey and Barton):  introduced May 13, 2011.  Referred to the House Committee on Energy and Commerce. 

Data security and breach notification:

• Data Accountability and Trust Act, H.R. 1707 (Reps. Rush, Barton, and Schakowsky):  introduced May 4, 2011.  Referred to the House Committee on Energy and Commerce. 
• Data Accountability and Trust Act of 2011, H.R. 1841 (Reps. Stearns and Matheson): introduced May 11, 2011.  Referred to the House Committee on Energy and Commerce. 
• Personal Data Privacy and Security Act of 2011, S. 1151 (Sens. Leahy, Schumer, Cardin, and Franken):  introduced June 7, 2011.  Referred to the Senate Committee on the Judiciary. 
• Secure and Fortify Electronic Data Act, H.R. ___ (Rep. Bono Mack): discussion draft released June 13, 2011.  Hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade.
• Data Security and Breach Notification Act, S. 1207 (Sens. Pryor and Rockefeller): introduced June 15, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Geolocation privacy:

• Geolocation Privacy and Surveillance Act, H.R. 2168 (Reps. Chaffetz and Goodlatte): introduced June 14, 2011.  Referred to the House Committee on the Judiciary and the House Committee on Intelligence (Permanent Select). 
• Geolocation Privacy and Surveillance Act, S. 1212 (Sen. Wyden): introduced June 15, 2011.  Referred to the Senate Committee on the Judiciary. 
• Location Privacy Protection Act of 2011, S. 1223 (Sens. Franken and Blumenthal): introduced June 16, 2011.  Referred to the Senate Committee on the Judiciary. 

ECPA:

• Electronic Communications Privacy Act Amendments Act of 2011, S. 1011 (Sen. Leahy):  introduced May 17, 2011.  Referred to the Senate Committee on the Judiciary. 

Financial privacy:

• Financial Information Privacy Act of 2011, H.R. 653 (Reps. Speier, Hastings, and Filner): introduced Feb. 11, 2011.  Referred to the House Subcommittee on Financial Institutions and Consumer Credit. 

by David Fagan, Libbie Canter, and Josephine Liu

The House Subcommittee on Commerce, Manufacturing and Trade held a hearing yesterday on draft data security legislation authored by Chairwoman Mary Bono Mack (R-CA).  The hearing was very well attended with significant substantive engagement by Subcommittee members on both sides of the aisle — an indication that the Subcommittee and the broader House Energy and Commerce Committee are committed to moving data security legislation this year.  To that end, it is worth noting that while the House last year passed legislation drafted by Rep. Bobby Rush (D-IL) — which was re-introduced earlier this year, along with a similar legislation from Rep. Cliff Stearns (R-FL) — Rep. Bono Mack’s legislation, the Secure and Fortify Electronic Data Act, or SAFE Data Act, is expected now to form the basis for legislation in the House this year.

Continue Reading

Over the past few weeks, online publishers have seen regulators' focus on privacy in the social media context reach the boiling point.  Just this week, Politico reported that FTC Chairman Jon Leibowitz confirmed in a letter to Sen. Mark Pryor that "FTC staff are carefully monitoring the privacy and security issues associated with social networking sites."  Sen. Pryor, who chairs the Consumer Protection Subcommittee of the Senate's Committee on Commerce, Science, and Transportation, had expressed concern about privacy and security issues in the context of social media apps, and so we expect that social media privacy issues will play a key role in forthcoming online privacy legislation.  (We've posted Sen. Pryor's letter to Leibowitz here.)

The announcement of the FTC's focus on social networking comes on the heels of the FTC's highly publicized settlement with Google over its Buzz product, which Erin Egan reported on earlier this year and was just approved by the court last week.  According to FTC blogger Lesley Fair, the agency alleged that consumers "weren’t adequately informed that certain information that had been private — including the people they chatted with or emailed most often — would be shared publicly by default."

For other online publishers, the headline from the Google Buzz settlement is the requirement that Google implement a comprehensive "privacy by design" program across all of its products.  In a recent speech, FTC Consumer Protection Bureau Chief David Vladick pointed to this aspect of the Google settlement as a key shift in the agency's expectations for social media providers generally.  In fact, the FTC has announced that it wants the privacy by design provisions of the Google settlement to "serve as a guide to industry."  Privacy by design programs, it said, are a "good idea for all companies" and should be "flexible and scalable."

Continue Reading

The House Energy and Commerce Commerce has announced plans for a “comprehensive review” of privacy and data security regulation.  The announcement explained that the “first phase” of the Committee’s review would be devoted to an assessment of the need for data security legislation.  The committee will then consider what Chairman Fred Upton referred to as “the more complex questions about individual privacy in the digital era.” 

There has already been considerable activity on the data security front in the Committee, with members Cliff Stearns and Bobby Rush proposing broad legislation and Mary Bono Mack pledging to do the same.  Much of this activity has taken place in the Subcommittee on Commerce, Manufacturing and Trade Subcommittee (of which Stearns and Rush are members and Bono Mack is chair).  But in the press release outlining the agenda , Rep. Greg Walden, who chairs the Communications and Technology Subcommittee, also weighed in on the importance of the issues surrounding data protection.   It remains to be seen whether this Subcommittee-- which has been involved in privacy and data security issues in past Congresses--will become more involved in this Congress. 

On a related note, the Commerce, Manufacturing and Trade Subcommittee held a hearing on data security yesterday.  We will discuss that hearing in a subsequent post. 

The Federal Communications Commission is seeking public comment on the use of location-based services in connection with a forthcoming staff report.  Comments are due to the FCC by July 8, 2011.

The agency also is teaming up with the Federal Trade Commission to host an educational forum on June 28, 2011, to help consumers understand the privacy implications of location-based services.  Representatives from mobile phone carriers, technology companies, consumer advocacy groups, and academia will discuss how these services work; their benefits and risks; industry best practices; and what parents should know about location tracking when their children use mobile devices.  

Location-based services have been the topic of a number of recent Congressional hearings.  Part of the focus at the most recent of these hearings was on children’s privacy.  Senator Rockefeller, Chairman of the Senate Commerce Committee, has sent letters to Apple, Google, and the Association for Competitive Technology with questions to help determine whether the applications running on their mobile platforms comply which the Children's Online Privacy Protection Act (COPPA).

By Elizabeth Katz & Steve Satterfield

Twenty-five years after authoring the Electronic Communications Privacy Act (“ECPA”), Senator Patrick Leahy has introduced a bill, the ECPA Amendments Act of 2011 (S. 1011), that is intended to adapt the Act to the privacy and security challenges of the 21st Century.  The bill would amend Title II of ECPA, commonly called the “Stored Communications Act” or “SCA,” which regulates the disclosure to private parties and the U.S. government of electronic communications in storage with certain service providers.  Much of S. 1011 increases the requirements that the U.S. government must satisfy to compel disclosure of covered communications. 

The bill was introduced amid a flurry of activity in the Senate related to privacy and data security.  Last week, the newly formed Senate Subcommittee on Privacy, Technology and the Law held a hearing on privacy in the mobile communications context (which also touched on ECPA reform), and the Senate Commerce Committee held a similar hearing today (its sixth hearing on consumer privacy in the past 13 months). 

After the jump is a summary of S. 1011’s key provisions. 

Continue Reading

This is another big week for privacy. On Monday, Senate Commerce Chairman Jay Rockefeller introduced the Do-Not-Track Online Act of 2011, which we posted about here. And yesterday, the newly created Senate Subcommittee on Privacy, Technology and the Law held its first hearing.  The hearing focused on mobile privacy issues, but also touched on other important privacy-related matters, including reform of the Electronic Communications Privacy Act and data security breaches. The following are highlights from the hearing:

• Jessica Rich, Deputy Director of the Federal Trade Commission's Bureau of Consumer Protection, testified that the FTC has "a number of active investigations into privacy issues associated with mobile devices, including children's privacy."
• Ms. Rich also noted that the draft Staff Report published by the FTC in December addresses mobile privacy issues in certain respects, including recommending that companies obtain affirmative express consent before collecting or sharing sensitive information such as precise geolocation data. In response to a question from Senator Al Franken, Ms. Rich explained that location data is especially sensitive because it often involves the data of children and teens and, when gathered over time, can be used to determine what church or political meetings a person attends and when and where a child walks to and from school. She also noted stalking concerns. Ms. Rich also expressed concerns that mobile users are even less likely than other online consumers to read detailed privacy screens, given the small screens of most mobile devices, but noted that the FTC Staff Report recommends clearer disclosures and simpler consent mechanisms. With respect to the status of the Staff Report, Ms. Rich’s written remarks indicate that FTC staff is analyzing the comments it received on its draft Staff Report and will take them into consideration in preparing a final report for release later this year.

Continue Reading

By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

• Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
• Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
  • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
  • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
  • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
  • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
  • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

Continue Reading

CNET reports that Rep. Jay Inslee (D-WA) is calling on the FTC to investigate Apple's privacy practices, particularly with respect to location-based services.  In a letter to FTC Chairman John Leibowitz, Inslee expressed concern about users' lack of awareness of "location-aware technology."  He writes: 

"Citizens expect to be able to know the extent to which their private information is being collected. In this case, Apple's only apparent disclosure comes buried in the vaguely worded language of a lengthy terms and conditions agreement. Furthermore, agreement on the part of the user is apparently granted simply by 'using location-based services on your iPhone.' The fact that no iPhone user was aware of this activity until two tech-savvy researchers stumbled upon it illustrates the lack of adequate disclosure."

Inslee's letter is only the most recent statement of concern by a member of a Congress about the privacy implications of location-based services.  Sen. Al Franken (D-MN), who chairs the Senate Subcommittee on Privacy, Technology, and the Law, has scheduled a hearing for May 10 on mobile technology and privacy, at which representatives from Apple and Google will testify along with officials from the Department of Commerce and the FTC.   Sen. Jay Rockefeller reportedly also plans to hold a hearing in May on mobile privacy, but no date has been set.     

It is noteworthy that, thus far, members of Congress appear only to be concerned to with the makers of operating systems for smartphones, and not the makers of "apps" that often use location-based information to provide services to smartphone users.  This parallels a similar narrowing of focus in the most prominent lawsuit arising out of alleged tracking in the mobile context, In re iPhone Application Litigation.  As we noted last week, although the original complaint named several app makers as defendants, the amended complaint has dropped those companies from the suit.

As expected, Rep. Cliff Stearns (R-FL) and co-sponsor Rep. Jim Matheson (D-UT) introduced the “Consumer Privacy Protection Act of 2011” earlier today.  The bill follows closely on the heels of the “Consumer Privacy Bill of Rights Act” (S. 799), which was introduced yesterday by Senators John Kerry (D-MA) and John McCain (R-AZ).  (You can read our summary of S.799 here.)  The following is a summary of Rep. Stearns’ bill that highlights its key differences from S.799.

Scope:  The bill would regulate the online and offline collection and use of traditional forms of personally identifiable information (e.g., name, address, email).  The scope is therefore narrower than S.799, which also covers the collection and use of “unique identifiers” and IP addresses. 

Notice obligations:  The bill requires covered entities to provide notice in three instances: 

• Notice in a privacy policy;
• Notice in a “statement” made before any PII collected from a consumer is used for a purpose unrelated to the transaction for which it was collected; and
• Notice for material changes to privacy policy statements.    

S.799 contemplates the first and third forms of notice; not the second. 

Consent obligations:  Unlike S.799, the Stearns bill does not obligate entities to obtain opt-in consent in any circumstance.  It requires opt-out consent before selling PII that may be used for a purpose unrelated to the transaction in which the PII was collected unless the purchasing entity is (1) under common control with the covered entity; or (2) contractually obligated to comply with the practices enumerated under the entity’s privacy policy.  A covered entity may provide the consumer an opportunity to permit the sale (or disclosure for consideration) of such information in exchange for a benefit to the consumer. 

In other circumstances, a covered entity may offer consumers other opportunities to limit collection or use of PII, but is not required to do so. 

Continue Reading

On Wednesday, April 6, the Senate Judiciary Committee held a hearing to examine ECPA, the Electronic Communications Privacy Act.  The hearing, which focused on the federal government’s perspective on ECPA reform, followed up on a hearing held last September and Sen. Patrick Leahy’s (D-VT) January 2011 pledge that “[t]he Judiciary Committee will continue the work we started last year to update the Electronic Communications Privacy Act, so that security agencies have the tools needed to keep us safe from cyber threats, and our Federal privacy laws keep pace with advancing technology.” 

Cameron Kerry, general counsel of the Commerce Department, offered general considerations for ECPA reform, suggesting that there should be a principled relationship between the legal protections for electronic information and comparable offline materials, and also that the protections should be connected to ordinary citizens’ reasonable privacy interests.  James Baker, associate deputy attorney general at the Justice Department, flagged eight issues under ECPA that merit further examination.  He also testified that the Justice Department is working internally on specific language to support its proposals. 

Senator Leahy expressed an interest in seeing the administration’s recommendations, noting wryly, “Inertia sometimes gets the greatest bipartisan support on the Hill, but I’d like to see us move forward.”

Just a week after the Obama Administration announced its support for comprehensive privacy legislation in testimony before the Senate Commerce Committee, Senator John Kerry (D-Mass.) has released a draft bill that attempts to respond to the Administration's call for broad baseline privacy protections for consumers.   Kerry's bill, which is co-sponsored by Senator John McCain (R-Ariz.) is still undergoing revisions, but a draft [PDF] was released to the public earlier this week. 

We have closely followed congressional efforts on privacy legislation over the 112th Congress and would offer this high level overview of how the Kerry/McCain legislation stacks up against other efforts:

• The draft envisions a significant role for the FTC and includes provisions requiring the FTC to promulgate rules on a number of important issues, including the appropriate consent mechanism for uses of data.  The FTC would also be tasked with issuing rules obligating businesses to provide reasonable security measures for the consumer data they maintain and to provide transparent notices about data practices.
• The draft also states that businesses should "seek" to collect only as much "covered information" as is reasonably necessary to provide a transaction or service requested by an individual, to prevent fraud, or to improve the transaction or service.  
• "Covered information" is defined broadly and would include not just "personally identifiable information" (such as name, address, telephone number, social security number), but also "unique identifier information," including a customer number held in a cookie, a user ID, a processor serial number or a device serial number.  Unlike definitions of "covered information" that appear in separate bills authored by Reps. Bobby Rush (D-Ill.) and Jackie Speier (D-Cal.), this definition specifically covers cookies and device IDs.
• The draft encompasses a data retention principle, providing that businesses should only retain covered information only as long as necessary to provide the transaction or service "or for a reasonable period of time if the service is ongoing." 
• The draft contemplates enforcement by the FTC and state attorneys general.  Notably -- and in contrast to Rep. Rush's bill -- the draft does not provide a privacy right of action for individuals who are affected by a violation. 
• Nor does the bill specifically address the much-debated "Do Not Track" opt-out mechanism that was recommended in the FTC's recent staff report on consumer privacy.  (You can read our analysis of that report here.) 

As noted above, the draft is reportedly still a work in progress.  Inside Privacy will provide additional commentary on the Kerry legislation and other congressional privacy efforts as they develop.     

Following up on Wednesday’s Senate Commerce Committee hearing, Rep. Mary Bono Mack (R-CA) indicated yesterday that the House Subcommittee on Commerce, Manufacturing and Trade will also hold hearings on online privacy matters later this spring.  The Subcommittee, which she chairs, will look at the state of current privacy laws, transparency in privacy policies, and protections for children online. 

Her statement is further evidence that Congress is continuing to take an active interest in privacy issues, as we previously noted.  Here is a roundup of additional recent developments:

• Shortly after Rep. Bono Mack’s statement was issued, Rep. Cliff Stearns (R-FL) noted that he is currently drafting privacy legislation and looks forward to working with Chairwoman Bono on the issue of online privacy.
• On March 10, Senate Commerce Committee Chairman John Rockefeller (D-WV) and Ranking Member Kay Bailey Hutchison (R-TX) sent a letter questioning whether the activities of the Senate Judiciary Committee’s newly formed Subcommittee on Privacy, Technology and the Law would overlap with the consumer privacy work already being done by the Commerce Committee.  The letter noted that members of the Commerce Committee “have made consumer privacy issues a priority” and that several have announced plans to introduce comprehensive privacy legislation.
• On February 24, in response to media reports that Google collected partial Social Security numbers of children who participated in the Doodle 4 Google art contest, Reps. Edward Markey (D-MA) and Joe Barton (R-TX), Co-Chairmen of the House Bi-Partisan Privacy Caucus, stated that they planned “to convene a Caucus hearing to discuss industry practices as they relate to online privacy.” 

Last Friday, the U.S. Court of Appeals for the D.C. Circuit issued its opinion in litigation between the American Bar Association (ABA) and the Federal Trade Commission (FTC) over the scope of the FTC’s Red Flags rule.  The Court held the ABA's claims moot in light of recently-enacted legislation.   

The Red Flags rule requires covered entities to design and implement identity theft prevention programs.  In August 2009, the ABA challenged the FTC’s authority to enforce the rule with respect to attorneys.  In December 2010, Congress passed the Red Flag Program Clarification Act, which amended the definition of “creditor” in the underlying statute to limit the scope of the FTC’s rule.  We covered in previous blog posts the Act as well as supplemental briefs (here and here) filed by both parties arguing over the Act’s impact on the litigation.  The Court held that the ABA’s claims were now moot because the Act caused there to no longer be a case or controversy. 

The ABA’s claims for injunctive relief were premised on the original definition of “creditor” prior to passage of the Act.  The Court stated that “the policy, rule, and statute that gave rise to [the] suit are no longer in the same posture.”  The Court acknowledged that the FTC could promulgate new regulations seeking to subject attorneys to the Red Flags rule but dismissed it as a mere “hypothetical possibility” not giving rise to a live dispute. 

FTC Chairman Jon Leibowitz applauded the Court’s decision for vindicating the FTC’s contention that the case should be dismissed.

The pace of privacy legislation at the federal level has begun to pick up, with news that Senator John Kerry (D-MA) and Representative Bobby Rush (D-IL) both will introduce comprehensive privacy bills in the coming days or weeks. 

In discussing Senator Kerry's proposal, staff have suggested that it will build on the three key privacy principles that Kerry announced late last year following the release of the FTC's privacy report:

1. All firms must put procedures in place to secure personally identifiable information.
2. Consumers have a right to know in clear and concise terms what firms intend to collect, why, and how it will be used.
3. Consumers should be given a simple mechanism for opting out of the process.

Among other provisions, the Kerry draft is expected to include a safe harbor provision that will encourage participation in an industry-wide opt-out program.

On the House side, Representative Rush is expected to reintroduce his privacy bill from last Session, potentially with the addition of a do-not-track component based roughly on the do-not-track proposal included in the FTC's privacy report.

While Kerry and Rush are perennial participants in the privacy debate, the surprise newcomer is Jackie Speier, a freshman Democrat from California.  Formerly a state legislator, Speier's consumer protection focus historically has been on safety issues, such as vehicle and consumer product defects.  But she is not a stranger to consumer privacy, having sponsored a California financial privacy bill during her time in the state legislature.  According to Politico, Speier's bill will be "narrowly tailored" to do-not-track.  Rather than handling technical details in the bill itself, Speier would authorize the FTC to conduct a rulemaking proceeding to decide exactly how do-not-track should be implemented.

It's not yet clear whether Speier's bill will gain traction in the House -- particularly given that it will be competing with Rush's bill, which has a more established track record. In both cases, though, because they are being introduced into a majority-Republican House the bills may face an uphill climb unless Rush and Speier find Republican co-sponsors for the measures.

Regardless of what happens with these individual bills, against the background of the FTC and Department of Commerce privacy proceedings, what is clear is that broad-based consumer privacy legislation will be a key issue for consumers and businesses that care about privacy to focus on this Congress. 

On January 19, U.S. Representative Steve Cohen (D-TN) introduced H.R. 321, the “Equal Employment for All Act,” which would amend the Fair Credit Reporting Act to restrict employers from using consumer credit reports to make adverse employment decisions (e.g., hiring, promotion, termination) regarding prospective or current employees.  The Act contains exceptions for, among other scenarios, positions that require national security clearances and managerial positions at financial institutions. 

H.R. 321 is the first federal legislation to restrict employers’ use of employee credit reports, but there has already been considerable activity at the state level.  Four states - Hawaii, Illinois, Oregon, and Washington - already have laws restricting employer use of employee credit reports, and 13 more states are considering legislation that would impose similar restrictions.

We will continue to monitor federal and state developments in this area and keep you posted as these bills make their way through the legislative process.   

In testimony before a House Judiciary subcommittee on Tuesday, Jason Weinstein (Deputy Assistant Attorney General for the DOJ Criminal Division) emphasized the importance of data retention from internet and cell phone service providers in fighting crime.  He invited Congress to consider legislation that would strengthen data retention standards.  Weinstein offered several examples of federal and state investigations that were stymied due to service providers’ inability to produce user records.  In many instances, service providers had short or non-existent retention periods. 

Currently, service providers are required to preserve user records only after receiving a request from law enforcement.  There is no independent obligation to preserve user records for a fixed amount of time.  Weinstein acknowledged that data retention requirements can be costly for service providers, but he said that leaving the decision up to providers did not properly account for the public safety interest in data retention.  Chairman of the Judiciary Committee Lamar Smith (R-TX) was generally supportive of the DOJ’s request.

Here’s a five-minute overview of the five major bodies that will influence the privacy, data protection and data security areas as we start 2011.

1.       The Federal Trade Commission.  The FTC’s privacy efforts focus on the FTC Act’s broad prohibition against “unfair or deceptive” acts or practices.  The FTC also has played a valuable role in providing guidance to companies on appropriate privacy practices and has fostered valuable groups heading up industry self-regulatory efforts.  But in December 2010, the FTC signaled that “self-regulation has not kept pace with technology.”  The FTC’s report suggests a new normative framework for all commercial entities -- online and offline -- that handle any data that “can be reasonably linked to a specified consumer.”  The report has three core principles:

• Privacy by Design.  Companies should adopt practices to limit data collection, protect data that is collected, implement reasonable data retention periods, and ensure the accuracy of data as part of the design of their products and services.
• Choice.  Companies should provide real choices to consumers, unless data is collected for “commonly accepted practices.”  These choices should be clear and presented at the point where data is provided.  A do-not-track option for targeted advertising also is suggested.
• Transparency.  The FTC calls for privacy policies that are short, clear and standard.

Comments are due February 18, and the FTC will issue a final report in the late spring.

2.       The Obama Administration.  The Department of Commerce in December 2010 issued a “green paper” on privacy practices in the commercial sector.  It recommends adoption of a national framework that would be built around a set of “fair information practice principles,” many of which would track the FTC’s recommendations.  However, the Commerce approach is more encouraging to industry self-regulation than the FTC.  It suggested that those adhering to self-regulatory guidelines might gain the benefit of a safe harbor.  Comments on its report are due on January 28.

3.       Congress.  Privacy bills were introduced in the last Congress, after much study and debate, but the 111th Congress expired without new legislation.  Whether the 112th Congress will start with a march toward legislation is an open issue.  My colleague Gerry Waldron has a post that provides a great look at the prospects for legislation.  In short, the Senate Commerce Committee may be able to move more quickly than the House Commerce Committee, given the significant changes in membership on the House side.

4.       The Plaintiffs’ Trial Bar.  More than 35 major privacy lawsuits were filed in 2010.  The lawsuits have targeted unexpected sharing of consumer data with third parties.  They also have focused on new tracking technologies that are alleged to circumvent user control, such as “Flash cookies,” “history sniffing,” “cookie re-spawning” and “deep packet inspection.”  Privacy litigation can be expected to be a significant focus in 2011.

5.       The European Commission.  And if the developments on this side of the Atlantic weren’t enough, consider that the 1995 EU Data Protection Directive will be reconsidered in 2011.  The safe harbor -- the EU regulation that permits data to pass from countries that have privacy laws on par with Europe and those, like the U.S., that don’t -- also is being reconsidered on its 10-year anniversary.  Some 2,500 companies and organizations now are certified under the safe harbor, which raises the stakes for American industry.

Multiple press outlets are reporting on remarks from Rep. Robert Goodlatte (R-Va.) regarding his intent to take up cybersecurity legislation during the 112th Congress.  In remarks at the 2011 State of the Net Conference, sponsored by the Congressional Internet Caucus, Goodlatte reportedly said that the Judiciary Committee should explore the use of “limited liability protections” as an incentive for companies to do more to protect their infrastructure from cyber attacks.  Goodlatte is a senior member of the House Committee on the Judiciary and the chair of the Subcommittee on Intellectual Property, Competition, and the Internet. 

This is a further indication of the interest around cybersecurity legislation in the next Congress.  During the 111th Congress, the Senate Homeland Security Committee and the Senate Commerce Committee each approved competing cybersecurity bills. Senate Majority Leader Harry Reid (D-Nev.) has said that reconciling these proposals and enacting comprehensive cybersecurity legislation will be a top priority in the 112th Congress.

On December 29, President Obama signed the “Restore Online Shoppers’ Confidence Act” into law.  The legislation prohibits e-commerce retailers from passing customers’ billing information to post-transaction third-party sellers, and also requires post-transaction sellers to meet certain requirements before charging consumers’ financial accounts.  Specifically, the post-transaction seller must (1) disclose all material terms of the transaction, including the fact that the post-transaction seller is not affiliated with the initial retailer; and (2) obtain billing information and affirmative consent for the transaction directly from the customer. 

The Act arose out of an investigation by the Senate Committee on Commerce, Science, and Transportation into the sales practices of Affinion, Vertrue, and Webloyalty.  These post-transaction sellers offered membership club enrollment to consumers who were completing transactions at popular online retail sites, although consumers often did not understand that they were entering into a separate relationship with the membership club or that they would be charged periodic fees. 

Continue Reading

Last week, Congress delivered to President Obama for his signature the “Red Flag Program Clarification Act of 2010,” which is intended to narrow the types of entities that are subject to the Federal Trade Commission’s Red Flags rule.  The Red Flags rule requires “financial institutions” and “creditors” to establish programs to detect, prevent, and mitigate identity theft in connection with consumer accounts.  The Act, which President Obama is expected to sign into law before the end of this year, is designed to exclude from Red Flags rule compliance certain classes of entities that the FTC previously determined could be creditors, such as doctors, lawyers, accountants, pharmacists and others who deliver services before receiving payment.

We've prepared a client alert that includes a more detailed summary of the new legislation.